b'                       U.S. Department of Agriculture\n\n                          Office of Inspector General\n                           Financial & IT Operations\n\n\n\n\n             Audit Report\n\n National Information Technology Center\nGeneral Controls Review \xe2\x80\x93 Fiscal Year 2007\n\n\n\n\n                             Report No. 88501-10-FM\n                                    September 2007\n\x0c                        UNITED STATES DEPARTMENT OF AGRICULTURE\n                                   OFFICE OF INSPECTOR GENERAL\n\n                                        Washington D.C. 20250\n\n\n\n\nSeptember 27, 2007\n\n\n\nREPLY TO\nATTN OF:       88501-10-FM\n\nTO:            Charles R. Christopherson, Jr.\n               Chief Information Officer\n               Office of the Chief Information Officer\n\nTHRU:          Sherry Linkins\n               Office of the Chief Information Officer\n               Information Resources Management\n\nFROM:          Robert W. Young             /s/\n               Assistant Inspector General\n                for Audit\n\nSUBJECT:       National Information Technology Center General Controls Review - Fiscal Year\n               2007\n\n\nThis report presents the results of our audit of the internal control structure at the Office of the\nChief Information Officer/National Information Technology Center as of June 30, 2007. The\naudit was conducted in accordance with Government Auditing Standards issued by the\nComptroller General of the United States including American Institute of Certified Public\nAccountants Professional Standards commonly referred to as a Statements on Auditing\nStandards 70 audit. The report contains an unqualified opinion on the internal control structure\nand contains no recommendations.\n\nIf you have any questions, please call me at (202) 720-6945, or have a member of your staff\ncontact Steve Rickrode, Director, Administration and Finance Division, at (202) 720-1918.\n\x0cExecutive Summary\nNational Information Technology Center General Controls Review - Fiscal Year 2007\n(Audit Report No. 88501-10-FM)\n\nResults in Brief    This report presents the results of our audit of the Office of the Chief\n                    Information     Officer/National      Information      Technology  Center\xe2\x80\x99s\n                    (OCIO/NITC) internal control structure as of June 30, 2007. Our review was\n                    conducted in accordance with Government Auditing Standards issued by the\n                    Comptroller General of the United States including American Institute of\n                    Certified Public Accountants Professional Standards as amended by\n                    applicable statements on auditing standards. Our report contains an\n                    unqualified opinion on the center\xe2\x80\x99s internal control structure.\n\n                    Our objectives were to perform procedures necessary to express opinions\n                    about whether (1) OCIO/NITC\xe2\x80\x99s description of controls in exhibit A presents\n                    fairly, in all material respects, the aspects of OCIO/NITC\xe2\x80\x99s controls that may\n                    be relevant to a customer agency\xe2\x80\x99s internal control as it relates to an audit of\n                    financial statements; (2) the controls included and/or referenced were placed\n                    in operation and suitably designed to achieve the control objectives specified\n                    in the description, if those controls were complied with satisfactorily, and\n                    customer agencies applied the controls contemplated in the design of\n                    OCIO/NITC\xe2\x80\x99s controls; and (3) the controls we tested were operating with\n                    sufficient effectiveness to provide reasonable, but not absolute, assurance that\n                    the control objectives specified were achieved during the period from July 1,\n                    2006, through June 30, 2007.\n\n                    Our audit disclosed that the control objectives and techniques identified in\n                    exhibit A presented fairly, in all material respects, the relevant aspects of\n                    OCIO/NITC\xe2\x80\x99s control environment taken as a whole. Also, in our opinion,\n                    the policies and procedures, as described, were suitably designed to provide\n                    reasonable assurance that the control objectives would be achieved and were\n                    operating effectively.\n\nRecommendation\nIn Brief            We do not make any recommendations in this report.\n\n\n\n\nUSDA/OIG-A/88501-10-FM                                                                       Page i\n\x0cAbbreviations Used in This Report\n\n\nASSERT         Automated Security Self-Evaluation and Remediation Tracking\nC&A            certification and accreditation\nID             Identification\nIT             information technology\nNIST           National Institute of Standards and Technology\nNITC           National Information Technology Center\nOCIO           Office of the Chief Information Officer\nPIA            Privacy Impact Assessments\nPOA&M          Plan of Action & Milestones\nRFP            Request for Procurement\nSAC            Special Agreement Check\nSFUG           Security Features User Guide\nST&E           Security Test and Evaluation\nUSDA           U.S. Department of Agriculture\n\n\n\n\nUSDA/OIG-A/88501-10-FM                                                       Page ii\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................................................i\n\nAbbreviations Used in This Report .......................................................................................................ii\n\nReport of the Office of Inspector General ............................................................................................ 1\n\nExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls.............................................. 3\n\n\n\n\nUSDA/OIG-A/88501-10-FM                                                                                                                   Page iii\n\x0c                        UNITED STATES DEPARTMENT OF AGRICULTURE\n                                    OFFICE OF INSPECTOR GENERAL\n\n                                         Washington D.C. 20250\n\n\n\nReport of the Office of Inspector General\nTo:    Charles R. Christopherson, Jr.\n       Chief Information Officer\n       Office of the Chief Information Officer\n\nWe have examined the control objectives and techniques identified in exhibit A for the\nU.S. Department of Agriculture\xe2\x80\x99s (USDA) Office of the Chief Information Officer/National\nInformation Technology Center (OCIO/NITC). Our examination included procedures to obtain\nreasonable assurance about whether (1) the accompanying description of control objectives and\ntechniques of the USDA\xe2\x80\x99s OCIO/NITC presents fairly, in all material respects, the aspects of\nOCIO/NITC\xe2\x80\x99s controls that may be relevant to a customer agency\xe2\x80\x99s internal controls as it relates to an\naudit of financial statements; (2) the controls included had been placed in operation as of June 30,\n2007; and (3) such controls were suitably designed to achieve the control objectives, if those controls\nwere complied with satisfactorily, and customer agencies applied the controls contemplated in the\ndesign of OCIO/NITC\xe2\x80\x99s controls. The control objectives were specified by OCIO/NITC.\n\nOur audit was conducted in accordance with Government Auditing Standards issued by the\nComptroller General of the United States and the standards issued by the American Institute of\nCertified Public Accountants and included those procedures necessary in the circumstances to obtain a\nreasonable basis for rendering our opinion.\n\nIn our opinion, the control objectives and techniques identified in exhibit A of this report present fairly,\nin all material respects, the relevant aspects of OCIO/NITC that had been placed in operation as of\nJune 30, 2007. Also, in our opinion, the controls included or referenced in exhibit A were suitably\ndesigned to provide reasonable assurance that the specified control objectives would be achieved if the\ndescribed controls were complied with satisfactorily and customer agencies applied the controls\ncontemplated in the design of OCIO/NITC\xe2\x80\x99s controls.\n\nIn addition, we performed tests to obtain evidence regarding the effectiveness of specific controls in\nmeeting the control objectives included in exhibit A during the period from July 1, 2006, to\nJune 30, 2007. The specific controls and the nature, timing, extent, and results of our tests are\nidentified in exhibit A. This information has been provided to customer agencies and their auditors to\nbe taken into consideration, along with information about the internal control at customer agencies,\nwhen making assessments of control risk for customer agencies. In our opinion, the controls that were\ntested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance\nthat the control objectives specified in exhibit A were achieved during the period from July 1, 2006,\nthrough June 30, 2007.\n\n\n\nUSDA/OIG-A/88501-10-FM                                                                              Page 1\n\x0cThe relative effectiveness and significance of specific controls at OCIO/NITC and their effect on\nassessments of control risk at user organizations are dependent on their interaction with the controls\nand other factors present at individual user organizations. We have performed no procedures to\nevaluate the effectiveness of controls at individual customer agencies.\n\nThe control objectives and techniques at OCIO/NITC are as of June 30, 2007, and information about\ntests of the operating effectiveness of specific controls covers the period from July 1, 2006, through\nJune 30, 2007. Any projections of such information to the future are subject to the risk that, because of\nchange, they may no longer portray the controls in existence. The potential effectiveness of specific\ncontrols at OCIO/NITC is subject to inherent limitations and, accordingly, errors or fraud may occur\nand not be detected. The projection of any conclusions, based on our findings, to future periods is\nsubject to the risk that changes may alter the validity of such conclusions. Furthermore, the accuracy\nand reliability of data processed by OCIO/NITC and the resultant report ultimately rests with the\ncustomer agency and any compensating controls implemented by such agency.\n\nThis report is intended solely for the management of OCIO/NITC, its users, and their auditors.\n\n/s/\n\nRobert W. Young\nAssistant Inspector General\n for Audit\n\nAugust 27, 2007\n\n\n\n\nUSDA/OIG-A/88501-10-FM                                                                            Page 2\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                     Exhibit A \xe2\x80\x93 Page 1 of 16\n\nThe objectives of our examination were to perform testing necessary to express an opinion about\nwhether (1) the Office of the Chief Information Officer/National Information Technology Center\xe2\x80\x99s\n(OCIO/NITC) description of controls in exhibit A presents fairly, in all material respects, the aspects\nof OCIO/NITC\xe2\x80\x99s controls that may be relevant to a customer agency\xe2\x80\x99s internal control as it relates to\nan audit of financial statements; (2) the controls included and/or referenced were placed in operation\nand suitably designed to achieve the control objectives specified in the description, if those controls\nwere complied with satisfactorily, and customer agencies applied the controls contemplated in the\ndesign of OCIO/NITC\xe2\x80\x99s controls; and (3) the controls we tested were operating with sufficient\neffectiveness to provide reasonable, but not absolute, assurance that the control objectives specified\nwere achieved during the period from July 1, 2006, through June 30, 2007.\n\nThis report is intended to provide users of OCIO/NITC with information about the control structure\npolicies and procedures at OCIO/NITC that may affect the processing of user organizations\xe2\x80\x99\ntransactions and also to provide users with information about the operating effectiveness of the policies\nand procedures that were tested. This report, when combined with an understanding and assessment of\nthe internal control structure policies and procedures at user organizations, is intended to assist user\nauditors in (1) planning the audit of user organizations\xe2\x80\x99 financial statements and (2) in assessing\ncontrol risk for assertions in user organizations\xe2\x80\x99 financial statements that may be affected by policies\nand procedures at OCIO/NITC.\n\nOur testing of OCIO/NITC\xe2\x80\x99s control structure policies and procedures was restricted to the control\nobjectives and the related policies and procedures listed in the matrices in this exhibit. Our testing was\nnot intended to apply to any other procedures that were not included in the aforementioned matrices or\nto procedures that may be in effect at user organizations.\n\nOur review was performed through inquiry of key OCIO/NITC personnel, observation of activities,\nexamination of relevant documentation and procedures, and tests of controls. We also followed up on\nknown control weaknesses identified in prior Office of Inspector General audits. We performed such\ntests as we considered necessary to evaluate whether the operating and control procedures described by\nOCIO/NITC and the extent of compliance with them are sufficient to provide reasonable, but not\nabsolute, assurance that control objectives were achieved.\n\nThe description of the tests of operating effectiveness and the results of those tests are included in the\nfollowing section of this report.\n\n\n\n\nUSDA/OIG-A/88501-10-FM                                                                              Page 3\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                             Exhibit A \xe2\x80\x93 Page 2 of 16\n\n\n NIST Control        Control Objective            Control Activities              Tests Performed                   Conclusion\n    Area\n\n Access Control   Organizations must limit    OCIO/NITC follows the         We reviewed various              OCIO/NITC controls\n                  information system          U.S. Department of            OCIO/NITC documents              were suitably designed\n                  access to authorized        Agriculture (USDA) and        regarding the management of      and operating effectively\n                  users, processes acting     the National Institute of     information system accounts.     to achieve the control\n                  on behalf of authorized     Standards and Technology                                       objectives.\n                  users, or devices           (NIST) guidelines for         We examined recent change\n                  (including other            access control policies and   records supplied by\n                  information systems)        procedures. OCIO/NITC\xe2\x80\x99s       OCIO/NITC in the form of\n                  and to the types of         security directive            e-mail confirmations from\n                  transactions and            establishes a \xe2\x80\x9cleast          agencies served by\n                  functions that authorized   privilege\xe2\x80\x9d mode of            OCIO/NITC to determine\n                  users are permitted to      operation for its staff and   account review status and\n                  exercise.                   contractors.                  frequency.\n\n                                              OCIO/NITC provides            We examined documents\n                                              management of accounts        supplied by OCIO/NITC\n                                              through authorizations,       indicating implementation of\n                                              approvals, and reviews.       access enforcement,\n                                              OCIO/NITC provides            discretionary access control.\n                                              further control through the\n                                              documentation and             We reviewed various types\n                                              implementation of             of documentation to ensure\n                                              separation of duties.         separation of duties and least\n                                                                            privilege access.\n                                              OCIO/NITC also employs\n                                              system settings to provide    We interviewed and\n                                              additional access controls.   observed system\n                                              These include limiting        administrators to ensure\n                                              unsuccessful login            lockouts occurred after a\n                                              attempts, displaying          defined number of\n                                              warning banners, session      unsuccessful login attempts.\n                                              locks, and session\n                                              termination.                  We reviewed samples of\n                                                                            system use notification\n                                                                            banners to ensure the\n                                                                            information system displays\n                                                                            an approved system use\n                                                                            notification message before\n                                                                            granting system access.\n\n                                                                            We interviewed and\n                                                                            observed system\n                                                                            administrators to ensure\n                                                                            system timeouts and/or\n                                                                            session termination occurred\n                                                                            after a defined period of\n                                                                            inactivity.\n\n\n\n\n   USDA/OIG-A/88501-10-FM                                                                                                          Page 4\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                         Exhibit A \xe2\x80\x93 Page 3 of 16\n\n\n NIST Control       Control Objective           Control Activities             Tests Performed                  Conclusion\n    Area\n                                                                          We examined documentation\n                                                                          for evidence of\n                                                                          organizational reviews and\n                                                                          documentation of incidents\n                                                                          and general user activity.\n\n                                                                          We examined sample output\n                                                                          from mainframe systems to\n                                                                          ensure automated marking of\n                                                                          documents is in use.\n\n                                                                          We interviewed OCIO/NITC\n                                                                          staff to determine if remote\n                                                                          access occurred through\n                                                                          secure methods.\n\n\n Awareness and   Organizations must (1)      The OCIO/NITC                We compared a listing of       OCIO/NITC controls were\n Training        ensure that managers        Information Security         employees/contractors who      suitably designed and\n                 and users of                Program includes             completed AgLearn security     operating effectively to\n                 organizational              security awareness           training to a listing of all   achieve the control\n                 information systems are     training to inform           employees/contractors          objectives.\n                 made aware of the           personnel, including         employed by OCIO/NITC to\n                 security risks associated   contractors and other        verify staff had completed\n                 with their activities and   users of information         required security training.\n                 of the applicable laws,     systems that support the\n                 Executive Orders,           operations and assets of\n                 directives, policies,       the agency, of the\n                 standards, instructions,    information security\n                 regulations, or             risks associated with\n                 procedures related to the   their activities and their\n                 security of                 responsibilities in\n                 organizational              complying with agency\n                 information systems;        policies and procedures\n                 and (2) ensure that         designed to reduce these\n                 organizational personnel    risks. In this regard, the\n                 are adequately trained to   OCIO/NITC security\n                 carry out their assigned    directive for security\n                 information security        awareness training\n                 related duties and          requires new employees\n                 responsibilities.           and contractor personnel\n                                             to complete security\n                                             awareness orientation\n                                             before they are given\n                                             access to OCIO/NITC\n                                             computer systems.\n\n\n\n\n   USDA/OIG-A/88501-10-FM                                                                                                     Page 5\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                         Exhibit A \xe2\x80\x93 Page 4 of 16\n\n\n NIST Control         Control Objective          Control Activities              Tests Performed                Conclusion\n    Area\n                  .\n                                             The OCIO/NITC\n                                             security directive for\n                                             security awareness\n                                             training also requires\n                                             employees to complete\n                                             annual security\n                                             awareness training to\n                                             renew their awareness\n                                             of their security\n                                             responsibilities.\n\n                                             OCIO/NITC requires\n                                             employees and\n                                             contractors to complete\n                                             annual security\n                                             awareness training that\n                                             addresses basic USDA\n                                             computer security\n                                             concepts.\n\n\n Audit and        Organizations must (1)     OCIO/NITC follows NIST         We reviewed various          OCIO/NITC controls were\n Accountability   create, protect, and       and USDA guidelines and        documents to determine if    suitably designed to\n                  retain information         has supplemented with an       log files were created and   achieve the control\n                  system audit records to    OCIO/NITC specific             reviewed.                    objective but were not\n                  the extent needed to       security directive for audit                                operating effectively.\n                  enable the monitoring,     and accountability.            We reviewed audit logs to    However, compensating\n                  analysis, investigation,                                  ensure appropriate           access controls mitigate\n                  and reporting of           The OCIO/NITC security         information was captured.    the risk to OCIO/NITC\n                  unlawful, unauthorized,    directive for audit and                                     systems.\n                  or inappropriate           accountability states that\n                  information system         administrators/system                                       Additionally, OCIO/NITC\n                  activity; and (2) ensure   owners will (1) ensure                                      is in the process of\n                  that the actions of        security related events are                                 procuring software,\n                  individual information     recorded in the system                                      hardware, maintenance,\n                  system users can be        log, (2) ensure that the                                    and training required for\n                  uniquely traced to those   system logs are routinely                                   implementing a\n                  users so they can be       reviewed, and (3) notify                                    centralized Security\n                  held accountable for       the Chief Security Staff of                                 Information and Event\n                  their actions.             any actual or suspected                                     Management solution.\n                                             security incident revealed\n                                             during reviews. It also\n                                             provides that the security\n                                             staff will (1) randomly\n                                             review system logs, (2)\n                                             investigate reported\n\n\n\n\n   USDA/OIG-A/88501-10-FM                                                                                                     Page 6\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                           Exhibit A \xe2\x80\x93 Page 5 of 16\n\n\n  NIST Control      Control Objective            Control Activities             Tests Performed                   Conclusion\n     Area\n                                              incidents, (3) maintain\n                                              record of the reviews\n                                              made by security staff,\n                                              and (4) assist\n                                              administrators/system\n                                              owners with analyzing the\n                                              system logs.\n\n\n\n\n Certification,   Organizations must (1)      OCIO/NITC follows            We obtained and reviewed        OCIO/NITC controls were\n Accreditation,   periodically assess the     USDA certification and       ST&Es that were recently        suitably designed and\n and Security     security controls in        accreditation (C&A)          performed to ensure testing     operating effectively to\n Assessments.     organizational              procedures which require     was based on NIST Special       achieve the control\n                  information systems to      an independent Security      Publication 800-53.             objectives.\n                  determine if the controls   Test and Evaluation\n                  are effective in their      (ST&E) to determine the      We obtained and reviewed\n                  application, (2) develop    effectiveness of the         Interconnection Security\n                  and implement plans of      security controls on the     Agreements between\n                  action designed to          information technology       OCIO/NITC and other\n                  correct deficiencies and    (IT) system and the          organizations to determine if\n                  reduce or eliminate         designated approving         agreements were in place for\n                  vulnerabilities in          authority to decide          external systems connecting\n                  organizational              whether or not to            to OCIO/NITC.\n                  information systems, (3)    authorize the system for\n                  authorize the operation     processing based on the      We reviewed documentation\n                  of organizational           ST&E results and residual    to determine if POA&Ms\n                  information systems and     risk. This accreditation     were documented and\n                  any associated              decision, along with the     monitored.\n                  information system          supporting documentation\n                  connections, and (4)        and rationale, are\n                  monitor information         documented in the final\n                  system security controls    accreditation package.\n                  on an ongoing basis to\n                  ensure the continued        OCIO/NITC has a security\n                  effectiveness of the        directive that defines\n                  controls.                   required documentation\n                                              for the accreditation\n                                              package.\n\n                                              In addition, OCIO/NITC\n                                              uses weaknesses identified\n                                              from audits, reviews, self\n                                              assessments, and the\n                                              related corrective actions\n                                              to document and track\n                                              plan of action and\n                                              milestones (POA&M).\n                                              POA&Ms are tracked by\n\n\n\n   USDA/OIG-A/88501-10-FM                                                                                                       Page 7\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                       Exhibit A \xe2\x80\x93 Page 6 of 16\n\n\n NIST Control      Control Objective           Control Activities             Tests Performed                 Conclusion\n    Area\n                                           the security staff and\n                                           Project Management\n                                           Office. OCIO/NITC\n                                           reviews and updates\n                                           System Security Plans and\n                                           Privacy Impact\n                                           Assessments (PIA) in\n                                           addition to Annual Self\n                                           Assessments.\n\n\n\n Configuration   Organizations must (1)    OCIO/NITC has an             We interviewed OCIO/NITC       OCIO/NITC controls were\n Management      establish and maintain    administrative directive     Configuration Management       suitably designed and\n                 baseline configurations   that requires changes to     personnel to determine if      operating effectively to\n                 and inventories of        the configuration of         significant changes had been   achieve the control\n                 organizational            OCIO/NITC owned              made to OCIO/NITC              objectives.\n                 information systems       systems be approved by       Configuration Management\n                 (including hardware,      OCIO/NITC management         policies and procedures.\n                 software, firmware, and   prior to implementation,\n                 documentation)            and that testing, customer   We reviewed the system\n                 throughout the            coordination, and other      baseline documentation to\n                 respective system         key activities be            ensure configurations were\n                 development life cycles   documented.                  properly documented.\n                 and (2) establish and     OCIO/NITC management\n                 enforce security          approval is required for     We obtained and reviewed\n                 configuration settings    any changes.                 change requests for several\n                 for IT products                                        systems to ensure changes\n                 employed in               Baseline configuration of    were documented, reviewed,\n                 organizational            the information system is    and approved.\n                 information systems.      documented as part of the\n                                           C&A process.                 We reviewed samples of\n                                           Additionally, component      Configuration Control Board\n                                           information is maintained    and Executive Review Board\n                                           in an asset management       meeting minutes to\n                                           database, and component      determine if changes were\n                                           and software information     reviewed and decisions to\n                                           is maintained in             approve/disapprove were\n                                           Configuration                made.\n                                           Management Information\n                                           Tracking System.             We reviewed firewall and\n                                                                        router documentation to\n                                           OCIO/NITC uses a Cisco       determine if port use was\n                                           Security Agent client        properly configured and\n                                           configured for monitoring    documented.\n                                           system logs and program\n                                           libraries for Windows        We obtained and reviewed\n                                           systems and Computer         inventory lists to determine\n                                           Associates Examine for       if components of the\n                                           the mainframe to restrict    information system and\n                                           access when changes are      relevant ownership\n                                           being implemented.           information were\n                                                                        maintained.\n\n   USDA/OIG-A/88501-10-FM                                                                                                   Page 8\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                            Exhibit A \xe2\x80\x93 Page 7 of 16\n\n\n NIST Control     Control Objective            Control Activities               Tests Performed                    Conclusion\n    Area\n                                           Additionally, the\n                                           OCIO/NITC systems are\n                                           configured according to\n                                           OCIO/NITC configuration\n                                           guides, which are built on\n                                           NIST and USDA\n                                           guidelines which\n                                           document the functions,\n                                           ports, and protocols that\n                                           are allowed.\n\n\n Contingency    Organizations must         OCIO/NITC follows              We reviewed various plans         OCIO/NITC controls were\n Planning       establish, maintain, and   planning policy and            related to contingency            suitably designed and\n                effectively implement      procedures provided by         planning for the enterprise,      operating effectively to\n                plans for emergency        OCIO Cyber Security.           network, infrastructure           achieve the control\n                response, backup                                          support system, midrange          objectives.\n                operations, and post-      Contingency plans for          UNIX, Customer\n                disaster recovery for      OCIO/NITC systems              Information Management\n                organizational             address roles,                 System, and mainframe.\n                information systems to     responsibilities, contact\n                ensure the availability    information, and activities    We reviewed disaster\n                of critical information    associated with restoring      recovery test results to verify\n                resources and continuity   the system after a             tests performed and training\n                of operations in           disruption or failure are in   participants.\n                emergency situations.      place. The plans are\n                                           updated and tested at least    We reviewed documentation\n                                           annually. The USDA             related to off-site storage and\n                                           Mainframe General              alternate processing sites.\n                                           Support System plans are\n                                           tested twice each year.\n\n                                           OCIO/NITC backs up\n                                           user-level and system-\n                                           level information\n                                           (including system state\n                                           information) contained in\n                                           the information system\n                                           nightly and stores backup\n                                           information in a secured\n                                           alternate site.\n\n                                           Two alternate processing\n                                           sites have been identified\n                                           (1) a contracted hot site in\n                                           Boulder, Colorado, and\n                                           (2) a second OCIO/NITC\n                                           site in Beltsville,\n                                           Maryland. Both are used\n                                           for the resumption of\n                                           mission critical functions.\n\n\n\n   USDA/OIG-A/88501-10-FM                                                                                                        Page 9\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                            Exhibit A \xe2\x80\x93 Page 8 of 16\n\n\n NIST Control       Control Objective             Control Activities             Tests Performed                   Conclusion\n    Area\n\n Identification   Organizations must          OCIO/ NITC follows            We obtained and reviewed        OCIO/NITC controls were\n and              identify information        identification and            policies and procedures         suitably designed and\n Authentication   system users, processes     authentication policy and     related to identification and   operating effectively to\n                  acting on behalf of         procedures provided by        authentication of information   achieve the control\n                  users, or devices and       OCIO Cyber Security and       system users and devices.       objectives.\n                  authenticate (or verify)    NIST guidelines.\n                  the identities of those     OCIO/NITC also has            We reviewed and verified\n                  users, processes, or        implemented a Personnel       baseline configurations.\n                  devices as a prerequisite   Security Plan and an\n                  to allowing access to       additional security           We observed logins to\n                  organizational              directive which provides      ensure passwords were not\n                  information systems.        guidance on passwords.        displayed.\n                                              These guidelines and\n                                              directives assist\n                                              OCIO/NITC in managing\n                                              access to its systems.\n                                              OCIO/NITC also has an\n                                              administrative directive\n                                              that defines the revocation\n                                              process of identifiers.\n\n                                              OCIO/NITC requires\n                                              unique user identity and\n                                              authentication for access\n                                              to its systems.\n\n                                              Identification and\n                                              authentication of devices\n                                              is also required for access\n                                              to resources.\n\n\n Incident         Organizations must (1)      OCIO/NITC follows             We obtained and reviewed        OCIO/NITC controls were\n Response         establish an operational    Cyber Security incident       policies and procedures for     suitably designed and\n                  incident handling           response policy and           Incident Response.              operating effectively to\n                  capability for              procedures as described in                                    achieve the control\n                  organizational              Departmental regulations.     We reviewed security            objectives.\n                  information systems                                       training information to\n                  that includes adequate      OCIO/NITC is developing       determine if personnel were\n                  preparation, detection,     policies and procedures to    trained in incident response\n                  analysis, containment,      formally document             roles and responsibilities.\n                  recovery, and user          OCIO/NITC controls.\n                  response activities; and                                  We reviewed incident\n                  (2) track, document, and    Information system            response reports to\n                  report incidents to         security incidents are        determine if incidents were\n                  appropriate                 tracked and documented        accurately and promptly\n                  organizational officials    based on procedures in        reported.\n                  and/or authorities.         Departmental regulations.\n\n\n\n\n   USDA/OIG-A/88501-10-FM                                                                                                       Page 10\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                        Exhibit A \xe2\x80\x93 Page 9 of 16\n\n\n NIST Control     Control Objective             Control Activities             Tests Performed                 Conclusion\n    Area\n                                            OCIO/NITC promptly           We interviewed staff to\n                                            reports incident             determine who provides\n                                            information to OCIO          advice and assistance to\n                                            Cyber Security.              users and administrators.\n\n\n\n\n Maintenance    Organizations must (1)      OCIO/NITC follows            We examined several            OCIO/NITC controls were\n                perform periodic and        maintenance policies and     documents regarding            suitably designed and\n                timely maintenance on       procedures provided by       maintenance of hardware and    operating effectively to\n                organizational              OCIO Cyber Security and      software.                      achieve the control\n                information systems;        NIST guidelines.                                            objectives.\n                and (2) provide                                          We examined the remote\n                effective controls on the   OCIO/NITC schedules,         administration systems\n                tools, techniques,          performs, and documents      regarding responsibilities,\n                mechanisms, and             routine preventative and     review of system logs and\n                personnel used to           regular maintenance on       documentation, and the\n                conduct information         the components of the        method of communication\n                system maintenance.         information system in        used by the system.\n                                            accordance with\n                                            manufacturer or vendor       We examined policy\n                                            specifications and/or        documents regarding\n                                            organizational               procedures for authorizing\n                                            requirements.                staff to perform maintenance\n                                                                         and the circumstances\n                                            Hardware maintenance         allowing access.\n                                            processes are included in\n                                            hardware contracts.          We examined purchase order\n                                            Software maintenance         documents for the\n                                            procedures and upgrades      maintenance of information\n                                            are included in software     system hardware.\n                                            contracts.\n\n                                            Access to OCIO/NITC\n                                            systems is monitored, and\n                                            both physical and logical\n                                            access is controlled.\n\n                                            OCIO/NITC utilizes\n                                            \xe2\x80\x9cphone home\xe2\x80\x9d\n                                            connections to vendors for\n                                            diagnostic activities.\n                                            Additionally, personnel\n                                            authorizations are\n                                            documented in the\n                                            OCIO/NITC Personnel\n\n\n\n   USDA/OIG-A/88501-10-FM                                                                                                   Page 11\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                           Exhibit A \xe2\x80\x93 Page 10 of 16\n\n\n  NIST Control     Control Objective              Control Activities             Tests Performed                   Conclusion\n     Area\n                                              Security Plan.\n                                              Background checks are\n                                              performed on all workers.\n\n                                              Visitors to controlled\n                                              areas are escorted.\n\n\n Media           Organizations must (1)       OCIO/NITC follows             We reviewed security            OCIO/NITC controls were\n Protection      protect information          policies and procedures       directive documentation for     suitably designed and\n                 system media, both           provided by OCIO Cyber        verification of system and      operating effectively to\n                 paper and digital, (2)       Security and NIST             system media categorization     achieve the control\n                 limit access to              guidelines.                   and control.                    objectives.\n                 information on\n                 information system           OCIO/NITC also has a          We reviewed security\n                 media to authorized          security directive which      directive and control\n                 users, and (3) sanitize or   provides for additional       documentation for\n                 destroy information          control for protection,       verification of system media\n                 system media before          control, and disposal of      sanitization and control.\n                 disposal or release for      documents, media, and\n                 reuse.                       other sensitive materials.\n\n                                              Access to storage of media\n                                              is restricted to authorized\n                                              personnel.\n                                              Sanitation of equipment\n                                              and media prior to\n                                              disposal or reuse is\n                                              enforced through\n                                              OCIO/NITC\xe2\x80\x99s security\n                                              directive. All information\n                                              is treated as though it is\n                                              sensitive.\n\n\n\n\n   USDA/OIG-A/88501-10-FM                                                                                                       Page 12\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                              Exhibit A \xe2\x80\x93 Page 11 of 16\n\n\n NIST Control      Control Objective             Control Activities               Tests Performed                     Conclusion\n    Area\n\n Physical and    Organizations must (1)      OCIO/NITC follows              We reviewed policies and           OCIO/NITC controls were\n Environmental   limit physical access to    physical and                   procedures related to              suitably designed and\n Protection      information systems,        environmental policies         physical and environmental         operating effectively to\n                 equipment, and the          and procedures provided        protection.                        achieve the control\n                 respective operating        by OCIO Cyber Security                                            objectives.\n                 environments to             and NIST guidelines. In        We reviewed employee lists\n                 authorized individuals;     addition to those              and access lists and other\n                 (2) protect the physical    guidelines, OCIO/NITC          documentation to verify\n                 plant and support           has a physical security        access and annual reviews of\n                 infrastructure for          plan and procedures            access.\n                 information systems; (3)    included within their\n                 provide supporting          general controls that          We tested the functionality\n                 utilities for information   documents physical             and observed proper\n                 systems; (4) protect        control details.               operation of card readers and\n                 information systems                                        cameras.\n                 against environmental       OCIO/NITC keeps up-to-\n                 hazards; and (5) provide    date lists of personnel with   We interviewed staff\n                 appropriate                 authorized access using        regarding the monitoring of\n                 environmental controls      the facility security          physical access to the facility\n                 in facilities containing    system, known as On-           and access log\n                 information systems.        Guard, to control access       documentation.\n                                             and issue badges.\n                                                                            We reviewed samples of\n                                             Access to restricted           video taken from three\n                                             computer operations is         access points.\n                                             granted through an\n                                             OCIO/NITC                      We reviewed the\n                                             administrative directive.      administrative policy\n                                             All physical access points,    regarding the verification\n                                             including access to            and admittance of visitors to\n                                             systems, are controlled by     information systems areas.\n                                             On-Guard and guards. For\n                                             systems in the data center,    We obtained and examined\n                                             physical access is             the documentation for\n                                             recorded on digital video      maintenance/testing of the\n                                             recorders. Visitors must       uninterruptible power\n                                             present proper                 supply, fire suppression\n                                             Identification (ID), sign a    system, and temperature and\n                                             log, and wear a visitor\xe2\x80\x99s      humidity controls.\n                                             badge.\n                                                                            We examined policy and\n                                             OCIO/NITC employs              documentation regarding\n                                             various equipment to           control of information\n                                             physically protect the         systems items entering and\n                                             information systems. This      exiting the facility.\n                                             includes an uninterruptible\n                                             power supply that\n                                             provides constant power,\n                                             sprinkler system in the\n                                             office spaces\n\n\n\n   USDA/OIG-A/88501-10-FM                                                                                                          Page 13\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                       Exhibit A \xe2\x80\x93 Page 12 of 16\n\n\n NIST Control     Control Objective            Control Activities             Tests Performed                  Conclusion\n    Area\n                                            and a fire suppression\n                                            system in the data center,\n                                            temperature and\n                                            humidity level monitoring,\n                                            and employing master\n                                            shutoff water\n                                            valves.\n\n                                            Information system-\n                                            related items entering and\n                                            exiting the facility are\n                                            controlled by the System\n                                            Network Control Center,\n                                            who maintains appropriate\n                                            records of those items.\n\n\n Planning       Organizations must          System security plans are    We reviewed security plans,    OCIO/NITC controls were\n                develop, document,          reviewed and updated by      SFUGs, and PIAs for            suitably designed and\n                periodically update, and    the system owner annually    Customer Information           operating effectively to\n                implement security          or whenever a significant    Management Systems,            achieve the control\n                plans for organizational    change to the systems,       Infrastructure Support         objectives.\n                information systems         facilities, or other         System, Network, and           .\n                that describe the           conditions occurs. The       Mainframe.\n                security controls in        security staff directs and\n                place or planned for the    manages a security           We reviewed selected signed\n                information systems and     program, which is            user agreements for\n                the rules of behavior for   documented in the            employees/contractors.\n                individuals accessing       OCIO/NITC Security\n                the information             Plan. The Plan is\n                systems.                    reviewed and updated as\n                                            needed, at least annually.\n\n                                            OCIO/NITC develops and\n                                            distributes Security\n                                            Features User Guides\n                                            (SFUG) for each system.\n                                            SFUGs are updated as\n                                            systems evolve.\n\n                                            Each worker, both Federal\n                                            and contracted, must read\n                                            and sign a user agreement,\n                                            which outlines rules of\n                                            behavior before they are\n                                            allowed access to\n                                            OCIO/NITC information\n                                            systems.\n\n                                            PIAs are documented for\n                                            each system, following\n\n\n\n   USDA/OIG-A/88501-10-FM                                                                                                   Page 14\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                         Exhibit A \xe2\x80\x93 Page 13 of 16\n\n\n NIST Control     Control Objective            Control Activities              Tests Performed                   Conclusion\n    Area\n                                           USDA and NIST\n                                           guidelines. The PIAs are\n                                           updated annually.\n\n\n Personnel      Organizations must (1)     OCIO/NITC has a formal,        We obtained and reviewed        OCIO/NITC controls were\n Security       ensure that individuals    documented personnel           Personnel Security Policy       suitably designed and\n                occupying positions of     security plan that             and Procedures.                 operating effectively to\n                responsibility within      addresses purpose, scope,                                      achieve the control\n                organizations (including   roles, responsibilities, and   We obtained and reviewed a      objectives.\n                third-party service        compliance. A risk             personnel listing to verify\n                providers) are             designation is assigned to     status of background\n                trustworthy and meet       each position, and is          investigations/\n                established security       documented in the              reinvestigations.\n                criteria for those         OCIO/NITC Personnel\n                positions, (2) ensure      Security Plan. All             We reviewed the System\n                that organizational        workers, both Federal and      User ID check list and\n                information and            contracted, must complete      request to remove access to\n                information systems are    a favorable Special            verify departing is out\n                protected during and       Agreement Check (SAC)          processed correctly.\n                after personnel actions    which includes a Federal\n                such as terminations       Bureau of Investigations       We reviewed contractor\n                and transfers, and (3)     fingerprint check.             statements of work to ensure\n                employ formal                                             personnel security\n                sanctions for personnel    All Federal and contract       requirements were properly\n                failing to comply with     employees are given a          identified and documented.\n                organizational security    Federal Protective Service\n                policies and procedures.   check and/or a SAC prior\n                                           to having access to the\n                                           facility, and further\n                                           background checks are\n                                           completed to establish the\n                                           correct level of security\n                                           clearance commensurate\n                                           with the position they\n                                           occupy.\n\n                                           OCIO/NITC also has an\n                                           administrative directive\n                                           which is utilized for each\n                                           employee who leaves\n                                           OCIO/NITC whether it is\n                                           through removal,\n                                           termination, reassignment,\n                                           or retirement.\n\n                                           Federal and contract\n                                           personnel must read and\n                                           sign a user agreement\n                                           before they are allowed\n\n\n   USDA/OIG-A/88501-10-FM                                                                                                     Page 15\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                               Exhibit A \xe2\x80\x93 Page 14 of 16\n\n\n NIST Control     Control Objective           Control Activities            Tests Performed            Conclusion\n    Area\n                                          access to the OCIO/NITC\n                                          information systems.\n                                          Personnel Security\n                                          requirements are also part\n                                          of all statements of work\n                                          for all third-party\n                                          providers.\n\n Risk           Organizations must        OCIO/NITC performs risk      We reviewed risk         OCIO/NITC controls were\n Assessment     periodically assess the   assessments as part of the   assessments to ensure    suitably designed and\n                risk to organizational    security management          systems were properly    operating effectively to\n                operations (including     process. Currently,          categorized.             achieve the control\n                mission, functions,       OCIO/NITC follows                                     objectives.\n                image, or reputation),    USDA and NIST                We reviewed the scan\n                organizational assets,    guidelines for risk          database.\n                and individuals           management policies and\n                resulting from the        procedures. Final risk\n                operation of              determinations and related\n                organizational            management approvals are\n                information systems and   documented and\n                the associated            maintained in the\n                processing, storage, or   Department\xe2\x80\x99s Automated\n                transmission of           Security Self-Evaluation\n                organizational            and Remediation Tracking\n                information.              (ASSERT) database. The\n                                          information systems are\n                                          categorized as part of the\n                                          security management\n                                          process using the system\n                                          categorization tool within\n                                          the ASSERT system.\n\n                                          Risk assessments are\n                                          performed as part of the\n                                          security management\n                                          process following USDA\n                                          and NIST guidelines.\n\n                                          OCIO/NITC conducts risk\n                                          assessments every 3 years\n                                          per USDA and NIST\n                                          guidance or when there\n                                          has been a major change\n                                          to the system or its\n                                          environment.\n\n                                          Vulnerability scans are\n                                          performed monthly on\n                                          appropriate systems. Ad-\n                                          hoc scans can be run if\n\n\n   USDA/OIG-A/88501-10-FM                                                                                           Page 16\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                         Exhibit A \xe2\x80\x93 Page 15 of 16\n\n\n  NIST Control        Control Objective          Control Activities            Tests Performed                   Conclusion\n     Area\n                                             new vulnerabilities are\n                                             identified.\n\n\n System and       Organizations must (1)     OCIO/NITC complies           We reviewed user                 OCIO/NITC controls were\n Services         allocate sufficient        with software usage          agreements to verify             suitably designed and\n Acquisition      resources to adequately    restrictions mandated by     software usage restrictions      operating effectively to\n                  protect organizational     USDA Departmental            were documented.                 achieve the control\n                  information systems; (2)   memoranda. The rules are                                      objectives.\n                  employ system              enforced through signed      We reviewed the Request for\n                  development life cycle     user agreements. In          Procurement (RFP) for the\n                  processes that             addition, all OCIO/NITC      off-site storage vendor to\n                  incorporate information    personnel must complete      ensure that physical and\n                  security considerations;   annual \xe2\x80\x9cEthics\xe2\x80\x9d and          personnel related security\n                  (3) employ software        \xe2\x80\x9cSecurity\xe2\x80\x9d training.         controls were documented.\n                  usage and installation     OCIO/NITC also includes\n                  restrictions; and (4)      requirements for\n                  ensure that third-party    employing adequate\n                  providers employ           security controls in all\n                  adequate security          Statements of Work for all\n                  measures to protect        third-party providers.\n                  information,\n                  applications, and/or\n                  services outsourced\n                  from the organization.\n\n                  .\n\n System and       Organizations must (1)     Each OCIO/NITC               We interviewed staff to          OCIO/NITC controls were\n Communications   monitor, control, and      information system is        determine if information         suitably designed and\n Protection       protect organizational     responsible for ensuring     systems prevent                  operating effectively to\n                  communications (i.e.,      unauthorized and             unauthorized and unintended      achieve the control\n                  information transmitted    unintended information       information transfer via         objectives.\n                  or received by             transfer does not occur.     shared system resources.\n                  organizational\n                  information systems) at    A security directive         We interviewed staff to\n                  the external boundaries    implemented by               ensure the external boundary\n                  and key internal           OCIO/NITC establishes        is properly protected.\n                  boundaries of the          the security boundaries\n                  information systems;       and responsibilities of      We interviewed staff to\n                  and (2) employ             OCIO/NITC and its            determine the integrity of\n                  architectural designs,     customers.                   transmitted information.\n                  software development\n                  techniques, and systems    OCIO/NITC separates          We interviewed and\n                  engineering principles     publicly accessible          observed system\n                  that promote effective     information system           administrators regarding\n                  information security       components through the       network disconnections.\n                  within organizational      use of firewalls and\n                  information systems.       separate network nodes.\n\n                                             OCIO/NITC employs\n                                             various integrity checking\n\n\n\n   USDA/OIG-A/88501-10-FM                                                                                                     Page 17\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                         Exhibit A \xe2\x80\x93 Page 16 of 16\n\n\n NIST Control     Control Objective           Control Activities              Tests Performed                    Conclusion\n    Area\n                                          methods, depending on the\n                                          system to ensure the\n                                          integrity of data\n                                          transmissions.\n\n                                          Network disconnects are\n                                          also utilized to provide\n                                          additional system and\n                                          communication protection.\n\n\n System and     Organizations must (1)    OCIO/NITC identifies          We obtained and reviewed          OCIO/NITC controls were\n Information    identify, report, and     flaws through several         documentation of the              suitably designed and\n Integrity      correct information and   processes, including scans,   subscription to security alert    operating effectively to\n                information system        assessments, audits, and      systems.                          achieve the control\n                flaws in a timely         the security management                                         objectives.\n                manner; (2) provide       process. Flaws are            We reviewed and verified\n                protection from           reported and corrected        system administrators input\n                malicious code at         using POA&Ms, which           related to the verification of\n                appropriate locations     are tracked in the            operation of security\n                within organizational     ASSERT tool.                  functions.\n                information systems;\n                and (3) monitor           OCIO/NITC receives\n                information system        information system\n                security alerts and       security alerts from the\n                advisories and take       Federal Computer Incident\n                appropriate actions in    Response Center, OCIO\n                response.                 Cyber Security, and from\n                                          vendors regularly, and\n                                          responds appropriately.\n\n                                          Each OCIO/NITC\n                                          information system\n                                          verifies the correct\n                                          operation of security\n                                          functions based on its\n                                          capabilities.\n\n\n\n\n   USDA/OIG-A/88501-10-FM                                                                                                     Page 18\n\x0c\x0c'